Skip to main content

Security and trust

CoPa handles custody schedules, messages, medical notes, and financial records for families going through some of the hardest moments of their lives. We take that responsibility seriously. Here is exactly how we protect your data.

Where your data lives

Database

All structured data (messages, schedules, expenses, Bridge Notes, journal entries) is stored in PostgreSQL hosted on Neon, a serverless Postgres provider. Neon runs on AWS infrastructure in the US. Data is encrypted at rest using AES-256.

File storage

Documents, receipts, and attachments are stored in Cloudflare R2, an S3-compatible object store. Files are encrypted at rest. Every file URL is pre-signed with a short expiry (15 minutes for reads, 5 minutes for uploads). There are no public buckets. Raw storage keys are never exposed to the client.

API and compute

The CoPa API runs on Cloudflare Workers, which execute at the edge in over 300 locations worldwide. All traffic is served over HTTPS with TLS 1.2 or higher. There is no plaintext HTTP endpoint.

Authentication

CoPa uses Clerk for authentication. Clerk handles password hashing, session management, and multi-factor authentication. CoPa never stores passwords or session tokens directly. Every API request requires a valid, signed JWT verified server-side before any data is returned.

Encryption

In transit

All data moving between your device and CoPa's servers is encrypted with TLS 1.2+. This applies to API calls, file uploads, file downloads, and SMS Relay webhook traffic.

At rest

Database storage is encrypted at rest using AES-256 via Neon's managed encryption. File storage in Cloudflare R2 is encrypted at rest by default. Backups inherit the same encryption.

Why not end-to-end encryption?

CoPa does not use end-to-end encryption. This is a deliberate decision, not an oversight. Court-admissible records require the platform to certify the integrity of what was said and when. If messages were encrypted such that only the two parents could read them, CoPa could not sign and verify exports, generate Calm Reading rewrites, or produce records that a third party (attorney, mediator, judge) can independently verify. The platform is the trusted third party. That role is incompatible with E2E encryption.

Who can see your data

Your co-parent

Your co-parent sees the shared calendar, messages, expenses, Bridge Notes, and documents. They do not see your private journal, your Calm Reading rewrites, or your notification settings.

Your attorney (if invited)

If you invite an attorney through the Legal Portal, they can view shared records for the specific case they are assigned to. They cannot modify records, send messages, or access data outside their assigned case.

CoPa employees

CoPa employees can access message content, schedule data, and file metadata for the purpose of customer support, debugging, and responding to lawful requests. We do not browse family data casually or proactively. Access is logged. We will never sell, share, or use your family's data for advertising, training AI models, or any purpose beyond operating the service.

Law enforcement and courts

CoPa will comply with valid legal process (subpoenas, court orders, warrants). We will notify affected users before disclosing data unless we are legally prohibited from doing so.

Nobody else

Every database query in CoPa is scoped to a single family. There is no global search, no cross-family data access, and no admin bypass that skips authorization checks. The architecture enforces family-level isolation at the query layer, not just the UI.

Immutability as a security feature

Messages, schedule changes, expenses, and Bridge Notes cannot be edited or deleted by either parent, by CoPa staff, or by anyone else. Audit logs are append-only. This is not a policy enforced by access controls that could be overridden. The application has no edit or delete operations for these record types. The code path does not exist. If a record is in the system, it has not been altered since it was created.

Backups and disaster recovery

Database backups

Neon provides continuous point-in-time recovery. The database can be restored to any point within the retention window. Backups are encrypted and stored separately from the primary database.

File backups

Cloudflare R2 provides built-in redundancy across multiple storage locations. Files are durably stored with high availability guarantees.

No single points of failure

CoPa's API runs on Cloudflare's global network with automatic failover. The database runs on Neon's managed infrastructure with automated health checks and recovery. We do not operate our own servers.

Breach disclosure

If CoPa experiences a data breach that exposes personal information, we will:

  • 1. Notify affected users by email within 72 hours of confirming the breach.
  • 2. Describe what data was exposed, what we know about how it happened, and what we are doing about it.
  • 3. Report to relevant regulatory authorities as required by applicable law.
  • 4. Publish a post-incident report once the investigation is complete.

We will not bury a breach in a settings page update or a terms-of-service revision. If something goes wrong, we will say so directly.

Questions about how CoPa handles security for your family or practice?

Contact us